Skill/Plugin Backdoor

Install a backdoored skill or plugin that persists across agent restarts

Tactic

Persistence (Stage 6)

Establish persistent access surviving restarts and session changes

Attack Class

SKILL-FRONTMATTER

Embedding malicious instructions in skill or plugin metadata and description fields

Evidence

validated

Reproduced in controlled lab environment (DVAA) with documented steps.

DVAA Validation

Reproductions in Damn Vulnerable AI Agent, the OpenA2A intentionally-broken agent for kill-chain validation.

skill-backdoor-install

Honeypot Coverage (AgentPwn)

Queuedsupply-chain

In scope for honeypot observation; trap page or telemetry hook not yet built.

Supply-chain trap page not yet built.

Evidence Source Breakdown

HMA

7 records

Evidence Timeline

HMA

HMA check SKILL-002 failed on fake-vulnerable-agent

Apr 29, 2026

HMA

HMA check SKILL-002 failed on fake-vulnerable-agent

Apr 29, 2026

HMA

HMA check SKILL-001 failed on opena2a/code-review-skill

Apr 27, 2026

HMA

HMA check SKILL-001 failed on opena2a/code-review-skill

Apr 27, 2026

HMA

HMA check SKILL-002 failed on fake-vulnerable-agent

Apr 22, 2026

HMA

HMA check SKILL-001 failed on damn-vulnerable-ai-agent

Apr 22, 2026

HMA

HMA check SKILL-001 failed on hackmyagent-release-test-vplv

Apr 13, 2026

Detection (HackMyAgent)

Live6 live · 0 queued

SKILL-001SKILL-002SKILL-003SKILL-004SKILL-005SKILL-006

npx hackmyagent secure --ciLive = check implemented in hackmyagent; queued = declared, not yet implemented

Defense (OASB Controls)

Live4 live · 0 queued

OASB 8.1 OASB 8.2 OASB 8.3 OASB 8.4

Live = documented at oasb.ai; queued = declared, not yet documented

How to Cite

AI Agent Threat Matrix T-6004 (Skill/Plugin Backdoor). OpenA2A, 2026. https://threats.opena2a.org/techniques/T-6004

← Back to Matrix